US intelligence chief: the Internet of Things will be used to spy and hack

February 15, 2016

3 Min Read

At least they’re being upfront about it.

James Clapper, the United States director of national intelligence, has acknowledged what many in the online security industry have warned about for some time – that intelligence and surveillance agencies are planning to use the Internet of Things to spy and hack.

The admission came in a testimony submitted to the US senate earlier this week:

“Smart” devices incorporated into the electric grid, vehicles – including autonomous vehicles – and household appliances are improving efficiency, energy conservation, and convenience. However, security industry analysts have demonstrated that many of these new systems can threaten data privacy, data integrity, or continuity of services. In the future, intelligence services might use the loT for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.

The focus of Clapper’s testimony might have been that these are issues which could pose a serious threat to US security, with hackers in overseas countries exploiting poorly designed IoT devices for the purposes of spying, stealing and disruption.

But we shouldn’t kid ourselves – such methods will be used by America’s intelligence agencies too, in its pursuit to collect information about its enemies, foreign governments and criminal organisations.

We wouldn’t dream of attaching a desktop computer to the internet without having security in place, so how come everything from internet-connected toothbrushes to smartphone-controlled washing machines and remote control thermostats are fine to plug in?

The truth is that “smart” devices have the potential to be very, very dumb when it comes to security. Unlike PC and software vendors who have decades of computer security experience, the manufacturers of these new devices often have little in the way of expertise and yet could still be exposing us and our personal data to the threat of hackers.

It’s not just intelligence agencies that we have to worry about exploiting these security holes. Each and every one of us should be concerned about the risk that we’re making it too easy for criminals to snoop on us, and potentially steal our passwords and personal information by taking advantage of the internet-enabled gadgets we bring into our home.

Unless manufacturers learn their lessons, and harden their internet-enabled devices against attacks, we face a future where the risks increase and the internet of insecure, untrustworthy things becomes a reality for us all.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

And then I see they sort of admit it. I don’t think they are being upfront. They say might use it. The fact they do this is even more pathetic; it’s very weak even for a government agency. They aren’t fooling anyone and they might as well admit it outright – but they don’t because they’re too scared and not strong enough to admit what everyone knows anyway. Stupid and cowardly.

“Each and every one of us should be concerned about the risk that we’re making it too easy for criminals to snoop on us, and potentially steal our passwords and personal information by taking advantage of the internet-enabled gadgets we bring into our home.” — Exactly. Good point, Graham. We do not only have to consider whether a product has been tried and tested and has a good credibility, but we also have to be wary of our own deeds. We have to be cautious of what we’re putting out there in the web. If you could just put it out of a device’s business that is connected to the internet, then that would be a better decision that risking it out there.